registry  /  @orangeworks/orangetree  /  0.22.0

@orangeworks/orangetree@0.22.0

Branching session-tree work-tracking tool (local-first, TypeScript)

AI Security Review

scanned 5d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package is a local web app/daemon for managing Claude sessions and optional remote pairing, with risky primitives tied to documented user workflows.

Static reason
One or more suspicious static signals were detected.
Trigger
User runs orangetree CLI or interacts with the local web UI.
Impact
User-authorized project file access, Claude session execution, optional remote access when configured; no evidence of hidden harvesting or exfiltration.
Mechanism
Local daemon, Claude CLI orchestration, optional cloud pairing/tunnel and self-update.
Rationale
Static inspection shows sensitive behavior, but it is aligned with the package's stated purpose as a local Claude work-tracking app and is activated by CLI/UI actions rather than install/import hooks. I found no credential harvesting, hidden exfiltration, persistence beyond the documented daemon, or unconsented AI-agent control-surface mutation.
Evidence
package.jsonREADME.mddist/bin/orangetree.jsdist/server.js~/.orangetree~/.orangetree-botsconfigured OTREE_ROOT work tree
Network endpoints3
api.orangetree.devgithub.com/fosrl/newt/releases/download/1.13.0registry.npmjs.org/-/package/@orangeworks/orangetree/dist-tags

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/server.js defaults Claude SDK permissionMode to bypassPermissions for user-created sessions.
  • dist/bin/orangetree.js can spawn a detached daemon and self-update via global npm install when user invokes update.
  • dist/server.js can download a Newt tunnel binary from GitHub releases, but with pinned SHA256 hashes.
Evidence against
  • package.json has no install/preinstall/postinstall lifecycle hooks.
  • README.md describes a local-first Orange Tree app that orchestrates the user's claude CLI.
  • dist/bin/orangetree.js only starts/stops/status/updates the app daemon on explicit CLI invocation.
  • dist/server.js binds local mode to 127.0.0.1 and gates remote mode with token or cloud-session auth.
  • dist/server.js filesystem routes use root-jail/path checks for configured work roots.
  • Network use is package-aligned: update checks, cloud pairing/auth/reporting, and optional tunnel acquisition.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 61 file(s), 1.52 MB of source, external domains: 127.0.0.1, api.orangetree.dev, github.com, json-schema.org, orangetree.dev, registry.npmjs.org, www.w3.org

Source & flagged code

4 flagged · loading source
dist/bin/orangetree.jsView file
87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/bin/orangetree.jsView on unpkg · L87
312const ps = `$s=(New-Object -ComObject WScript.Shell).CreateShortcut(${psStr(lnk)});$s.TargetPath=${psStr(wscript)};$s.Arguments=${psStr(`//B //Nologo "${vbs}"`)};$s.Description='Or... L313: spawnSync("powershell.exe", ["-NoProfile", "-NonInteractive", "-Command", ps], { stdio: "ignore", windowsHide: true }); L314: }
High
Shell

Package source references shell execution.

dist/bin/orangetree.jsView on unpkg · L312
87// lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() { L100: return process.env.OTREE_DATA ?? join2(homedir(), ".orangetree"); L101: }
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/bin/orangetree.jsView on unpkg · L87
64Cross-file remote execution chain: dist/bin/orangetree.js spawns dist/server.js; helper contains network access plus dynamic code execution. L64: try { L65: return normalize(JSON.parse(readFileSync(path, "utf8"))); L66: } catch { ... L72: const fill = (key, value) => { L73: if (value != null && process.env[key] === void 0) process.env[key] = value; L74: }; ... L87: // lib/daemon.ts L88: import { spawn, spawnSync } from "node:child_process"; L89: import { closeSync, existsSync as existsSync2, mkdirSync, openSync, readFileSync as readFileSync2, renameSync, rmSync, writeFileSync } from "node:fs"; L90: import { request } from "node:http"; L91: import { homedir } from "node:os"; ... L99: function dataRoot() {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/bin/orangetree.jsView on unpkg · L64

Findings

4 High2 Medium5 Low
HighChild Processdist/bin/orangetree.js
HighShelldist/bin/orangetree.js
HighSame File Env Network Executiondist/bin/orangetree.js
HighCross File Remote Execution Contextdist/bin/orangetree.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License